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DETERMINISTIC USER AUTHENTICATION SERVICE 
FOR COMMUNICATION NETWORK 





FIELD OF THE INVENTION 

4he-^^fes ent invent torp^fgt gie^ lo n ^gulating connoctivity — to — and with ia, 
communication ne^wtfrks. More specifically, the present invention relates to 
authentic^tiiig and establishing personalized network connectivity for local users of 
p- matitutionol communication networits - 
BACKGROUND OF THE INVENTION 

^Jto §gtitt i pn s-., are-.^^ data"'"'eDnmmm€a6eQi 



infrastructures for efficient communication and data transfer. With this/ancreasing 
reliance on network computing has arisen a significant need for mechanisms to regulate 
connectivity to ajid within such networks. This need has been pm;tially filled by internet 
protocol (IP) firewalls. IP firewalls typically restrict accesS to fixed sets of network 
resources by applying a set of protocol level filters on a packet-by-packet basis or by 
20 requiring prospective users to become auth^riucated before gaining access to the 
resources. Authentication has generally/required users to supply certain signature 
information, such as a password, y^^liile this requirement of signature information has 
reduced the risk of unauthorized access to firewall-protected resources, firewalls have 
proven an imperfect am inflexible regulatory solution. Because firewalls are protocol- 
25 specific, firewaUs have not provided a means for regulating network connectivity in a 
multi-proto<iol environment. Moreover, because firewalls regulate access to particular 
netwo^ resources, they have failed to provide a means for regulating access to sets of 
ju mrk f ft<; n^irce5; whirh ran v? i r) f aR a fii n r tio n -e f use r identity ^ 
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Protocol-independent mechanisms have also been deployed for authenticating 
users of the resources of institutional networks. However, such authentication 
mechanisms are only known to have been deployed to challenge remote users attempting 
to log-in over dial-up phone lines. Such mechanisms are not known to regulate the 
network access of local users logging-in over a LAN interfaces, such as Ethernet or 
Token Ring interfaces. Moreover, such mechanisms have, like firewalls, provided an 
inflexible solution which is unable to regulate access to customized or personalized sets 
of resources within the network based on user identity. 

The flexibility limitations of the foregoing log-in challenge mechanisms have 
been partially overcome by independently implementing virtual local area networks 
(VLANs) within institutional networks. VLANs are sub-networks which typically 
include a plurality of network devices, such as servers, workstations and PCs, that 
together form a logical work group within a larger network. Because VLAN membership 
is assigned based on policies rather than physical location in the network, network 
bandwidth has been conserved and network security enhanced by assigning VLAN 
membership based on considerations of efficiency and need and restricting the flow of 
network traffic across VLAN boundaries. 

While significant security and efficiency gains have been realized by policy-based 
VLANs, the solution they have offered is far from complete. VLAN membership has 
generally been assigned to end systems without reference to the identity of the users of 
such systems. In the current technology, for instance, VLAN membership is typically 
assigned by comparing network traffic with a configured set of rules which classify the 
traffic, and by inference the system which originated the traffic, into one or more 



5 VLANs. The identity of the user who sent the traffic is not considered in the assignment 
process. The failure to consider user identity leaves some network security issues 
unaddressed. Particularly, a person not authorized to use the resources of a VLAN may 
be able to gain access to its resources by transmitting data packets which the configured 
rules will classify into the VLAN, either by communicating over a member end system or 

10 by spoofing the required identifiers. Known VLAN assignment methods have also failed 
to contemplate providing conditional access to users based on the day of the week, the 
time of day, the length of access or a combination of such factors. Furthermore, current 
networking equipment and policy-based VLANs in particular have not offered collateral 
functionality, such as the ability to dynamically track where local users are connected to 

15 the network. Such a tracking mechanism would greatly simplify tasks such as network 
troubleshooting by allowing the network location of a user requesting technical support to 
be easily determined. 



0/[/^ Tteeordittgljr; — there is a neecf-ibr-- eompreheiisiv^ -segvicSsJlfaCIiggutetfflg' 
connectivity in institutional networks which are not subject to the inflexibility of 
20 conventional user log-in mechanisms or the^^k of consideration for user identity of 
conventional VLAN assignment tecjifliques. There is also a need for services which 



connectivity. Theje^ a further need for user authentication services which provide 



collateral^^inctionality, such as the ability to dynamically track the whereabouts of 




authenticate local users 



institutional networks before establishing network 



5 SUMMARY OF THE INVENTION 

In accordance with its basic feature, the present invention combines the user- 
specific advantages of log-in challenges and the flexibility of VLANs into a deterministic 
user-based authentication and tracking service for local users of institutional 
. conmiunication networks, 

loLKy^ I t I S t lic r cf o rc on e o bj ect o f tl ic pic i>cu l aiv e ation to - provid e ^ 
-authentic ate s local usef^ o fore esta b lishing network-connectivit y^ 

It is another object of the present invention to provide a service which assigns and 
regulates user access to personalized sets of network resources. 

It is another object of the present invention to provide a service which grants user 
15 access to personalized sets of network resources upon verifying signature information. 

It is another object of the present invention to provide a service which conditions 
user access to personalized sets of network resources on one or more time-dependent 
variables. 

It is another object of the present invention to provide a service which tracks user 
20 identity and network location. 

«Hiese^3nd--<xtheiLQhi^^ 
which requires that local users be authenticated before gaining access^ personalized sets 
of network resources. User identification information, tirprl^strictions and authorized 
lists of resources for particular users are entered^.-afid stored in the network. Prior to 
25 authentication, packets fi"om an end syst^nfbeing used by a prospective user of network 
resources are transmitted to an^thentication agent operative on an intelligent edge 
device associated with the system. The agent relays log-in responses received from the 
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system to a basic authentication server in the network for verification of the user. 
Verification is made by comparing log-in responses with Jthc user identification 
information stored in the network and determining whether^e restrictions associated 
with the user identification information are applicable,/ff the basic authentication server 
is able to verify fi-om the log-in response tharjhfe iser is an authorized user of network 
resources, and that the user is authori^jHo use the network resources at the time of the 
log-m attempt, the basic authentje^on server transmits to the agent the list of network 
resources for which the us^ is authorized, along with any time restrictions. The agent 
forwards the list oprirthorized network resources and time restrictions for storage and use 
on the edge^vice. The edge device uses the authorized list of resources and time 
restricJkSns to establish networic connectivity rules for the user. Preferably, the 
>girQiorizcd li' !t of not^v ork rocour c cc ifl a Hat of one or more WLSWa. 

If die basic authentication server is unable to verify fi-om the log-in response that 
the user is an authorized user of network resources and authorized to use network 
resources at the time of the log-in attempt, the basic authentication server communicates 
that information to the agent. Packets from the user continue to be directed to the agent 
or, alternatively, are dropped. Preferably, the number of log-in attempts users are granted 
before packets are dropped is configurable. 

In another aspect of die invention, the basic authentication server records 
information relating to the identity and network location of users learned from log-in 
attempts. The information is accessible by a network administrator tracking network 
activity from a network management station. 
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In another aspect of the invention, when the basic authentication server 
successfully verifies that the user is an authorized user of network resources, and that the 
user is authorized to use the network resources at the time cf the log-in attempt, the basic 
authentication server, in lieu of transmitting to the agent the list of authorized network 
resources and time restrictions, initiates an enhanced autheiivication method for the user. 
The enhanced authentication method is preferably conducted by an enhanced 
authentication server within the network. 

in another n ip e ct of the invcijtitfn, when Jii a uaienticated-tiser-te gs . ofF tfao 
network, or fails to transmit papkets for a predetermmed tir. - :., or if the system being used 
by the authenticated^a^ is disconnected from the network, or if the authorized 
connectivity^griod expires, or if the basic authentication server or other management 
entity^ia^cts the agent to abolish the authenticated user's network connectivity, the 
^a ^Rnrica t fd i iseg ^eiwork comiCLtivi t ji i& J c a cti vm cd:>>. 

The present invention can be better understood j / reference to the following 
detailed description, taken in conjunction with the accon.^anying drawings which are 
briefly described below. Of course, the actual scope of ti - invention is defmed by the 
appended claims. 

BRIEF DESCRIPTION OF THE DRAWINGS 

.A 

J^ig. 1 is a schematic of a network in which a prefer., embodiment of the present 

. . / 
mvention is operative; 



^ig. 2 is a schematic of an intelligent edge devi operative in the network 
according to Fig. 1 ; 
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'ig. 3A is a schematic of a network management station operative in the network 

y 

according toTig. 1; 

/Fig. 3B is a schematic of a end system operative in the network according to Fig. 

1; 

Fig. 4 is a functional diagram of an authentication agent operative in the network 
10 according toiFig. 1; 

/ . 

i^Fig. 5 is a functional diagram of a basic authentication server operative in the 
network acceding to Fig. 1; 

✓Fig, 6 is a functional diagram of an authentication client operative in the network 
according to Fig. 1; 

/ 

15 ^ig. 7 is a schematic of an LAN in which a more preferred embodiment of the 

present invention is operative; 



Hg. 8 is a functional diagram of a basic authentication server operative in the 
network according to Fig. 7; 

Fjgf 9 is a flow diagram of a preferred method for authenticating users within 
20 network 1; and/"' 

Fig. 10 is a flow diagram of a preferred method for authenticating users within 
network 7. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

Referring to Fig. 1, a network 1 operating in accordance with a preferred 
25 embodiment of the present invention is shown. Network 1 includes intelligent edge 
devices 10, 15 and a network management station 20 interconnected over a backbone 
network 30, such as an asynchronous transfer mode (ATM) or fiber distributed data 
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interface (FDDI) network. Devices 10, 15 and station 20 are interconnected using cables, 
which may be fiber optic, unshielded twisted pair, or other form. Devices 10, 15 are 
associated with end systems 40, 50, 60, and 45, 55, 65, respectively, which are operative 
in local area network (LAN) communication media, such as Ethemet or Token Ring. It 
will be appreciated that Ethemet as used herein is not limited to 10 megabit Ethernet, but 
includes other Ethemet varieties, such as Fast Ethemet and Gigabit Ethemet. Systems 40, 
50, 60 and 45, 55, 65 may be workstations, PCs, or other systems having a user interface. 
Although the illustrated network 1 is shown to include two edge devices each associated 
with multiple end systems, it will be appreciated that a network operating in accordance 
with the present invention may include one or more edge devices interconnected across a 
backbone network, and that each edge device may be associated with one or more end 
systems or servers. It will also be appreciated that, in networks operating in accordance 
with the present invention, every edge device preferably has common operational 
capabilities. 

Turning to Fig, 2, device 10 is shown in greater detail. Device 10 is preferably 
representative of devices 10, 15. Device 10 includes a management processor module 
210, backbone module 220 and authentication modules 240, 250, 260 interconnected over 
a switching link 230. Modules 220, 240, 250, 260 are preferably implemented using 
custom logic, e.g., application specific integrated circuits (ASICs), while management 
processor module 210 is preferably software-implemented. Authentication modules 240, 
250, 260 each include a LAN interface interconnecting systems 40, 50, 60, respectively, 
and switching link 230. In contradistinction to hubs which indiscriminately forward 
packets in unmodified form to all associated end systems, device 10 includes means on 
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5 each of modules 220, 240, 250, 260 for interpreting, modifying, filtering and forwarding 
packets. Preferably, modules 220, 240, 250, 260 are also operative to perform necessary 
LAN media translations so that device 10 is able to support end stations operating using 
disparate LAN media. Thus, for example, system 40 utilizing an Ethernet 
communication protocol may communicate through device 10 with system 50 utilizing 
10 Token Ring. LAN switches marketed by the assignee hereof under the federally 
registered trademarks OmniSwitch® and PizzaSwitch®, implemented with appropriate 
switching modules available ftom the assignee, may advantageously be implemented as 
devices 10, 15 in the performance of the above-described functionality. 

Turning to Fig. 3A, a schematic diagram of network management station 20 is 
15 shown. Preferably, station 20 includes a user interface 310, a software-implemented 
iifl basic authentication server 320 and user records 330. Although server 320 and user 

O records 330 are shown operative on station 20, server 320 and user records 330, or either 

2 one, may be operative on another device in network 1 accessible by station 20. Although 

; ^ network I is illustrated to include a single basic authentication server 320, a network 

2 20 operating in accordance with the present invention may include one or more basic 
authentication servers. Server 320 is preferably configured with an address of each of 
devices 10, 15 and an associated authentication key for the authentication agent active on 
each of devices 10, 15. The addresses are preferably IP addresses. 

Turning to Fig. 3B, a schematic diagram of system 40 is shown. System 40 is 
25 representative of systems 40, 50, 60 and 45, 55, 65. System 40 has a user interface 350 
and an authentication client 360. Authentication client 360 is software used during the 
authentication process. This is preferably a software application installed on system 40 
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5 but may also take the fonn of a standard software application such as Telnet. Client 360 
is configured with an address of an authentication agent on associated device 10, which 
may be an IP address or a reserved media access control (MAC) address. 

An authentication agent is deployed on each of devices 10, 15. Turning to Fig. 4, 
a functional diagram of an authentication agent 400 residing on device 10 is shown, 

!0 Agent 400 is preferably a software module implemented by management processor 
module 210. Agent 400 is configured with an address of device 10, an address of basic 
server 320 and an authentication key for server 320. The configured addresses are 
preferably IP addresses. 

Agent 400 includes CNCT EST means 410. Means 410 serves, upon initialization 

15 of device 10^ to establish a secure connection with server 320. Means 410 requests a 
connection to server 320 using the known address of server 320 and acknowledges a 
response from server 320 to such a request. Means 410 also transmits and receives 
information fi*om and to server 320 sufficient to allow agent 400 and server 320 to 
authenticate one another. Preferably, mutual authentication is accomplished through 

20 exchange of authentication keys configured on agent 400 and server 320. Means 410 
may encrypt information and decipher encrypted information transmitted during the 
secure connection establishment process. TCP/IP based flows between agent 400 and 
server 320 are contemplated. Although network 1 is shown to include only one basic 
server 320, it will be appreciated that a network may include more than one basic server. 

25 If an agent is configured with the address of more than one basic server in the network, 
and an attempt to establish a secure connection with a particular server fails, the agent 
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may implement the foregoing process using the known address of another basic server 
until a secure connection is established. 

Agent 400 also includes ID REQ means 420. Means 420 serves to obtain log-in 
responses from users of associated systems 40, 50, 60 by communicating with 
authentication clients operative on systems 40, 50, 60. Means 420 acknowledges requests 
received from clients to establish an authentication session. Means 420 responds to the 
requests by transmitting a log-in prompt to the requesting one of clients. IP-based flows 
using an application, such as Telnet, or MAC-based flows between agent 400 and clients 
are contemplated. Flows are initiated by clients using a reserved MAC address or IP 
address of agent 400 configured on clients. 

Agent 400 also includes ID RLY means 430. Means 430 serves to relay to server 
320 for verification log-in responses received from users in response to log-in prompts. 
Means 430 associates the known address of device 10, the identifier of the authentication 
module (i.e., 240, 250 or 260) associated with the one of systems 40, 50, 60 being used 
by a user and the log-in response. Means 430 transmits the associated authentication 
information to server 320 for verification. 

Agent 400 also includes VER RLY means 440. Means 440 serves to relay user 
status information received from server 320 to users. Means 440 transmits user status 
information to the one of systems 40, 50, 60 being used by a user. User status information 
preferably includes a log-in valid or log-in invalid message, depending on whether server 
320 was able to successfiilly verify the log-in response. IP-based flows using an 
application such as Telnet or MAC-based flows are contemplated for transmission of user 
status information between agent 400 and clients. 
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an authentication session if a user has failed to be authenticated aftei/a configurable 
number of failed log-in attempts. Means 450 transmits to the client/^sociated with the 
one of systems 40, 50, 60 bemg used by the user an authentication session termination 
message after a configurable number of log-in failures. Mea^ 450 also terminates the 
authentication session with the one of clients. / 

Agent 400 also includes RSRC RL Y means 46Q/Means 460 serves to forward for 
storage and use on device 10 authorized connectivity information received from server 
320 for authenticated users of systems 40, 50,^. Authorized connectivity information 
may advantageously be transmitted by server 320 to agent 400 in the same data packet as 
user status information. Authorized confiectivity information includes, for the particular 
one of the systems 40, 50, 60, a iist of authorized network resources. Authorized 
connectivity information may ajso include time restrictions, if any. Time restrictions 
preferably define times during which the particular user is authorized to use the network 
resources, such as the day of the week, the time of day, and the length of permitted 
access. The list of aumorized network resources is preferably a list of VLAN identifiers. 
Authorized connectivity information is preferably forwarded by agent 400 to 
management /rocessor module 210 along with the authentication module identifier. 
Management processor module 210 preferably associates the authorized connectivity 
inform^ion with a known address of the one of the systems 40, 50, 60 being used by the 
authenticated user and stores the pair in device records. The address is preferably a MAC 
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Device records are advantageously used on device 10 to make filtering and 
forwarding decisions on packets received from and destined for authenticated users. 
Packets transmitted by an unauthenticated one of systems 40, 50, 60, unless addressed to 
authentication agent 400, are dropped by the receiving one of modules 240, 250, 260. 
Packets addressed to an unauthenticated one of systems 40, 50, 60 are also dropped. 
Packets transmitted by one of authenticated systems 40, 50, 60 addressed to another 
authenticated one of systems 40, 50, 60 are selectively forwarded according to the 
following rules: 

1. If the destination address is the address of another one of systems 40, 
50, 60 associated with device 10, resort is made to device records on 
device 10 to verify that the source and destination systems share a 
conunon VLAN. If a VLAN is shared, the packet is forwarded to the 
destination system. If a VLAN is not shared, the packet is dropped. 
^ ^ 2r^ the d e stination adJiess iy - not the addre s s of another one of ^ 

40, 50, 60 associated with device 10, resort is made to devic^ecords 
on device 10 to retrieve the VLAN identifiers assodmed with the 
source system. The VLAN identifiers are appended to the packet and 
the packet is forwarded to backbone modijle 220 for transmission on 
backbone network 30. When the o^cSKet arrives on the edge device 
(e.g., 15) associated with thp^estination system (e.g., 45), resort is 
made to device recorjis^n the edge device to verify that the source and 
destination sy^tMis share a common VLAN. If a VLAN is shared, the 
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packet is forwarded to the destin^on system. If a VLAN is not 
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shared, the packet is dropped. 
Packets addressed to unauthenticated system^'in network 1 continue to be dropped. The 
foregoing rules may be implemented using various known protocols. See, e.g., Ross U.S. 
Patent No. 5,394,402 and Nair & Bailey, Application Serial No. 08/782,444, which are 

10 incorporated herein by reference. It will me appreciated that any addressable core, edge, 
or end devices, stations and systems in network 1 which are not subject to authentication 
requirements may be treated as authelnticated systems for purposes of transmitting and 
receiving packets under the foregoing rules. 

Agent 400 also includes IdA'ERM means 470. Means 470 serves, upon receipt of 

15 log-off commands from authenticated users, or upon expiration of the authorized 
connectivity period, or when ^ne of authenticated systems 40, 50, 60 is physically 
disconnected from network K or when one of authenticated systems 40, 50, 60 fails to 
send traffic for a prescribed iength of time, or upon receipt of instruction from server 320, 
to deactivate the established network connectivity. Means 460 forwards to management 

20 processor module 210 a request to remove from device records the address-authorized 
connectivity information entry for the user whose connectivity is to be deactivated. Upon 
receipt of such a request, management processor module 210 preferably removes the 
entry from device records and the authenticated one of systems 40, 50, 60 reverts to the 
unauthenticated state. 

25 Turning to Fig. 5, a functional diagram of basic authentication server 320 is 

shown. Serve/ 320 includes RSRC AUTH means 510, Means 510 serves to enable 
4;etwork--adm jnstratof&-4o-- fktfit^^ i KEQ£EdividuQlis 5ed---basiS7^thOTTzed-coftftee^^ 
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information for users of the network L Means 510 enables a networic administrator to 
input user-specific entries. Means 510 supplies a textual or graphical display to user 
interface 310 operative to accept user-specific entries. Means 510 stores each user- 
specific entry as a related pair in user records 330. Each user-specific entry preferably 
includes user identifier information and a list of authorized network resources. User- 
specific entries may also include time restrictions for the particular user. User 
identification information preferably includes signature information for the user, such as 
a password. Means 510 also enables a network administrator to input device-specific 
entries. Device-specific entries preferably includes, for each edge device in network 1 
having an authentication agent, a device address and an authentication key. Device 
addresses are preferably IP addresses. Means 510 stores each device-specific entry as a 
related pair in network management records (not shown). Each device address is 
preferably uniquely assigned to a particular edge device operative within network 1. 

Server 320 also includes CNCT EST means 520. Means 520 serves, upon receipt 
of a request fi-om an authentication agent, to establish a secure connection with the agent. 
Means 520 acknowledges receipt firom the agent of a request to establish a secure 
connections and to respond to the request. Means 520 also transmits and receives 
information sufficient to allow the agent and server 320 to authenticate one another. 
Preferably, authentication is established through exchange of authentication keys. Means 
520 may encrypt information and decipher encrypted information transmitted during the 
secure connection establishment process. TCP/IP based flows between the agent and 
server 320 are contemplated. 
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Server 320 also includes ID VER means 530, Means 530 servfes to subject to a 
verification process authentication information received from users via agent 400. Means 
530, upon receipt of authentication information from agent 400, determines if the log-in 
response matches the user identification information associated wfth a user-specific entry 
in user records 330. If a match is found, and there are time restrictions associated with 
the user-specific entry, means 530 determines from the time restrictions if the user is 
authorized to use network 1 at the particular time. If the vJcr is time-authorized or there 
are no time restrictions, means 530 generates authorized connectivity information. 
Means 530 retrieves the list of authorized network resoorces associated with the matching 
user identification information in the generation ofyauthorized connectivity information. 
Authorized connectivity information may also inodude any time restrictions. Means 530 
also generates user status information. User s^tus information is information sufficient 
to communicate to agent 400 whether usei/identification information was successfully 
verified. User status information is pre^Ferably either a log-in valid or log-in invalid 
message. Means 530 transmits aut^forized connectivity information and user status 
inforaiation to agent 400. Preferably, authorized connectivity information and user status 
information are transmitted as /part of the same data packet. If no match for user 
identification information is/found, or if the user is not time-authorized, means 530 
generates and transmits to/agent 400 user status information, preferably in the form of a 
log-in invalid message; but does not generate or transmit authorized connectivity 
information. Although the above described means operative on server 320 are described 
to be interoperative/m conjunction with agent 400, it will be appreciated that the means 
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are fully interoperative with other authentication agents residing on edge devices in 
network 1. 

Server 320 also includes ID STOR mteans 540. Means 540 serves to forward for 
storage and use by a network administrator user tracking information. User tracking 
information is preferably retained for all flog-in attempts made by prospective users, 
whether successful or unsuccessful. User tDacking information may include, for each log- 
in attempt, any information learned from one or more of the following: user 
identification information, authentication/information, user status information, authorized 
connectivity information. User tracking/information also may include the time of day the 
log-in attempt was made. The time of cpy may be kept on and obtained from server 320. 
Server 320 preferably associates the user tracking information and stores the information 
as an entry in a network activity datapase (not shown) that is accessible by or resides on 
station 20. Network activity databas^ entries are accessible by a network administrator 
using interface 310. 

Server 320 also includes N^feX MNTR means 550. Means 550 serves to enable a 
network administrator to access and use user tracking information. Means 550 supplies a 
textual or graphical display to interface 310 operative to display user tracking 
information. Means 550 also enables a network administrator to generate user tracking 
information reports consisting of related information from one or more user tracking 
information entries. 

Turning to Fig. 6,/a functional diagram of client 360 is shown. Client 360 is 



representative of clients 
includes ID INIT means ( 



esiding on systems 40, 50, 60 and 45, 55, 65. Client 360 
0. Means 610 serves, when system 40 is booted-up by a user. 
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to request and establish an authentication session with agent 400. Alternatively, means 
610 can be activated by a direct action of the user of system 40. Means 610 transmits to 
agent 400 a request to establish an authentication session using a known address of agent 
400. Client 360 preferably transmits requests periodically until agent 400 responds. A 
MAC-based flow is contemplated. Alternatively, an IP-based flow usmg an application 
such as Telnet may be used. 

Client 360 also includes ID RPLY means 620. Means 620 serves to enable users 
to reply to log-in prompts received from agent 400. Means 620 supplies a textual or 
graphical display to a user interface of system 40 operative to accept log-in responses. 
Means 620 also transmits log-in responses to agent 400. 

Client 360 also includes VER DSPL means 630. Means 630 serves to convey to 
users whether log-in attempts were successful or unsuccessful. Means 630 supplies a 
textual or graphical display to a user interface of system 40 operative to display user 
status information, preferably a log-in valid message or a log-in invalid message, 
received from agent 400. 

Client 360 further includes ID OFF means 640. Means 640 serves to initiate the 
log-off process by which authenticated users log-off the network 1. Means 640 supplies 
a textual or graphical display to user interface 350 operative to accept log-off conunands. 
Means 640 transmits log-off commands to agent 400 for deactivation of established 
network connectivity. 

Refefrifl^4 Q Fig, 7, a ncUv u ik 7 opmgfiiig iu accu rt te nce-wtth ah aliematrv &" 
embodiment of the present invention i^hown. In the altemative embodiment, an 
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Network 7 includes intelligent edge devices 710, 715 and a network management station 
720 interconnected over a backbone network 730 by means similar to those described in 
relation to network 1, Bridges 710, 715 are associated with end systems 740, 750, 760 
and 745, 755, 765, respectively, which utilize LAN communication media, such as 
Ethernet or Token Ring. Network 7 also includes enhanced authentication server 770 
interconnected over backbone network 730. It v^U be appreciated that, as in the previous 
preferred embodiment, a network operating in accordance with the alternative 
embodiment may include one or more edge devices having common operational 
capabilities and associated vAth one or more end sytems. In network 7, devices 710, 715 
station 720 and systems 740, 750, 760 and 745, 755, 765 have operational capabilities 
common to their counterparts in network 1, plus additional operational capabilities 
hereafter described. 

Turning to Fig. 8, a functional diagram of a basic authentication server 800 
preferably operable on station 720 is shown. Server 800 is preferably interoperative with 
devices 710, 715 and systems 740, 750, 760 and 745, 755, 765 and associated modules, 
agents and clients to perform the functionality of server 320 described above, including 
RSRC AUTH means 510, CNCT EST means 520, ID VER means 530, ID STOR means 
540 and NET MNTR means 550. 

Server 800 also includes ENH CNCT EST means 810, Means 810 serves to 
establish and maintain a secure connection with enhanced authentication server 770. A 
TCP/IP based flow is contemplated. Server 800 also includes ENH RSRC AUTH means 
820. Means 820 serves to enable network administrators to define, on an individualized 
basis, an enhanced authentication method for each prospective user of network 7. Means 
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5 820 enables a network administrator to enter user-specific entries which additionally 
include enhanced authentication method information. Enhanced authentication method 
information includes information sufficient to enable basic server 800 to identify a 
device, station, or system within network 7 which will conduct the enhanced 
authentication session, if any, the prospective user must successfully complete to become 

10 authenticated. Preferably, enhanced authentication method information includes an IP 
address of enhanced authentication server 770. Enhanced authentication methods may 
include one of various security methods implemented on enhanced authentication server 
770. Authentication methods marketed under the trade names Secure ID™ by Security 
Dynamics, Inc. and methods that comply with Internet Engineering Task Force (IETF) 

15 RFC 2058 Remote Authentication Dial-in User Service (RADIUS) are referenced herein 
by way of example. 
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verifying log-in responses received from a user and that the user is authorized tooise the 
network 7 at the time of the log-in attempt, to initiate an enhanced authga^ation method, 
20 if indicated. Means 830, upon determining that the log;;iflf^esponse matches user 
identification information associated with a user-sp^wfic entry in user records, and upon 
determining that the user is time-authoriz^a if time restrictions are indicated, checks 
whether there is an enhanced authentication method associated with the matching user- 
specific entry. If an eph^ced authentication method is indicated, means 820, before 
25 transmitting authpfized connectivity information and user status information to the agent 
on the ap^iropriate one of devices 710, 715, transmits a request to enhanced 
autheoucation server 770 to conduct an enhanced authentication session with the user. 
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The enhanced authentication session is preferably conducted between enhanced server 
770 and the user transparently to basic server 800. Enhanced server 77)/instructs basic 
server 800 of the results of the enhanced authentication sessionV If the user was 
successfully authenticated, means 830 transmits to the agent ajiAorized connectivity 
information and user status information, preferably in the form^f a log-ui valid message. 
If the user was not successfully authenticated, ni^afis 830 transmits user status 
information, preferably a log-in invalid mes^a^, but no authorized cormectivity 
information. If an enhanced authenticatioij^thod is not indicated when the check for an 
enhanced authentication method^is performed, means 830 transmits to the agent 
authorized connectivity iirfwmation and user status information, in the form of a log-in 
valid message, vottjetit engaging server 770. If a matching entry for user identification 
information>g^ot found in user records, or if the user is not time-authorized, means 830 
transmifc to the agent user status information, in the form of a log-in invalid message, 
" witlfiou t transnfMtting authorized connectivity infomia tioiCU 

Referring now to Fig, 9, a flow diagram illustrates a preferred method for 
implementing the invention within network 1. When device 10 is initialized (905), agent 
400 attempts to establish a secure connection with server 320 using the known address of 
server 320. Once a TCP session is successfully established, agent 400 and server 320 
authenticate one another by exchanging authentication keys. 

When a user boots-up device 40 (910), client 360 activates. Client 360 sends an 
authentication request to agent 400 using a known address of agent 400. Authentication 
requests are transmitted to agent 400 periodically until agent 400 responds. When agent 
400 receives a request, agent 400 responds by transmitting a log-in prompt to client 360. 
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The user enters a log-in response and the response is transmitted to agent 400 
(915). Agent 400 transmits authentication information to server 320. Authentication 
information preferably includes an address of device 10, an identifier of authentication 
module 240 associated v^dth system 40, and the log-in response. 

Server 320 determines whether the log-in response is recognized on station 20 
(920). Server 320 checks user records 330 for a user-specific entry having user 
identification information matching the log-in response. If a matching entry is found, 
server 320 checks any time restrictions associated with the entry to determine if the user 
is authorized to use the network resources at the particular time (925). If the prospective 
user is time-authorized, server 320 retrieves the list of authorized network resources and 
any time restrictions associated with the matching user identification information. The 
information is transmitted to agent 400 (930) along v^th user status information, 
preferably a log-in valid message. If no matching entry is found (935), or if the user is 
not time-authorized (940), user status information, preferably a log-in invalid message, is 
returned to the user via agent 400. Agent 400 also in that instance determines if user has 
made the configurable number of failed log-in attempts (945). If the configurable 
number of failed log-in attempts has been reached (950), agent 400 terminates the 
authentication session with client 360. The user is denied network access until such time 
as the user reboots system 40, If the configurable number of failed log-in attempts has 
not been reached (955), agent 400 presents the user vnih another log-in prompt. 

Turning to Fig. 10, a flow diagram illustrates a preferred method for 
implementing the invention within network 7. The method proceeds generally as in Fig. 
9, except that an enhanced authentication method is performed, if indicated. 
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According l y, once a dot o rmina t i o n h made t ha t ^ U3ci ii>_ iliiie-aUUio^zed I lOOS) . bofim^ 
server 800 checks whether there is an enhanced authentication mi^od associated with 
the matching entry (1010). If an enhanced authentication methoa is indicated, server 800 
transmits a request to enhanced authentication server T^i) to conduct an enhanced 
authentication session with the user (1015). Enhanced^rver 770 informs basic server 
800 of the results of the enhanced authentication s^sion. If the session was successfully 
completed (1020), basic server 800 transm^ authorized connectivity information and 
user status information, in the form of/4 log-in valid message, to the agent (1030), If 
enhanced session was not successfiiUy completed (1025), basic server 800 transmits a 
log-in invalid message to user aAd does not transmit authorized connectivity information 
to agent Agent also in thaj^istance determines if user has made a configurable number 
of failed log-in attempts. The authentication session either continues or terminates as 
discussed dependjilg on the outcome of that inquiry. If an enhanced authentication 
method is n^r indicated when the check for an enhanced authentication method is 
performe5K(1010), server 800 transmits authorized connectivity information and user 
statii^/mformation, in the form of a log-in valid message, without requesting server 770 to 
a n enhonccd - authentication session* ^ 

It vnll be appreciated by those of ordinary skill in the art that the invention can be 
embodied in other specific forms without departing fi-om the spirit or essential character 
hereof The present description is therefore considered in all respects to be illustrative 
and not restrictive. The scope of the invention is indicated by the appended claims, and 
all changes that come within the meaning and range of equivalents thereof are intended to 
be embraced therein. 
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